SecurityStatus
Sign In Scan Your Domain
How It WorksFeaturesKnowledge BaseComparePricing
Sign In Get Started
high Infrastructure

API Endpoint Exposure

APIs power modern web applications, but improperly secured API endpoints can expose sensitive data or allow unauthorised actions. Common issues include unprotected endpoints, exposed Swagger/OpenAPI docs, missing authentication, and APIs that return more data than necessary.

What SecurityStatus Checks

  • Common API paths: /api, /api/v1, /graphql, /swagger, /api-docs, /openapi.json
  • Whether API documentation endpoints (Swagger UI, GraphQL introspection) are publicly accessible
  • Whether API endpoints return sensitive data without authentication
  • CORS configuration on API endpoints

Why This Matters

Exposed API documentation tells attackers exactly how your API works — every endpoint, parameter, and response format. GraphQL introspection, when left enabled in production, reveals your entire data model. Unprotected API endpoints allow data extraction at scale without triggering traditional web application firewalls.

How to Fix It

  1. 1

    Require authentication on all sensitive endpoints

    Every endpoint that accesses user data or performs actions must require authentication. Use JWT tokens, API keys, or session cookies — but never leave endpoints that return user data accessible without auth.

  2. 2

    Disable GraphQL introspection in production

    GraphQL introspection returns your entire schema to any caller. Disable it in production: in Apollo Server, set `introspection: false` in production environments. Developers can still use introspection locally.

  3. 3

    Restrict Swagger/OpenAPI UI

    If you expose API documentation, put it behind authentication or restrict it to internal network access. API docs are valuable for your developers but are a roadmap for attackers.

  4. 4

    Apply rate limiting to all API endpoints

    Even authenticated endpoints need rate limiting to prevent automated data scraping. Implement rate limits at the API gateway or web server level based on IP, API key, or user account.

Frequently Asked Questions

Should I expose my API documentation publicly?
For public APIs, yes — documentation is necessary. For internal APIs, no. Restrict API docs to authenticated users or internal network access. A breach via API documentation is a known attack vector.
What is BOLA/IDOR and how do I prevent it?
Broken Object Level Authorisation (BOLA) is when an API returns data for any resource ID without checking if the requesting user owns it. Always verify the authenticated user owns or has access to the requested resource.
Is GraphQL less secure than REST?
GraphQL has unique risks (introspection, batching attacks, deep queries) but is not inherently less secure. It requires different security controls: disable introspection in prod, limit query depth, implement rate limiting by query complexity.

Related Guides

critical CORS Configuration Read Guide critical Open Port Scanner Read Guide medium API Endpoint Discovery Read Guide

Check Your Domain Now

Run all 38 security checks including API Endpoint Exposure and get your domain's security grade in under 2 minutes.

Scan Your Domain Free